Introduction

Note: Cisco bug IDs marked as investigative are not restricted to the symptoms described. If you face issues with Java 7, ensure that you upgrade the AnyConnect client version to the latest client version or to at least the 3.1 maintenance release 3 version available on Cisco Connection Online (CCO).

General Troubleshooting

Run the Java Verifier in order to check if Java is supported on the browsers in use. If Java is enabled properly, review the Java console logs in order to analyze the problem.

Specific Troubleshooting

AnyConnect

Windows

Cisco bug ID CSCuc55720, "IE crashes with Java 7 when 3.1.1 package is enabled on the ASA," was a known issue, where Internet Explorer crashed when a WebLaunch was performed and AnyConnect 3.1 was enabled on the headend. This bug has been fixed.

You might encounter issues when you use some versions of AnyConnect and Java 7 with Java apps. For further information, see Cisco bug ID CSCue48916, "Java App(s) Break when using AnyConnect 3.1.00495 or 3.1.02026 & Java v7."

Issues with Java 7 and IPv6 Socket Calls

If AnyConnect does not connect even after you upgrade the Java Runtime Environment (JRE) to Java 7, or if a Java application is unable to connect over the VPN tunnel, review the Java console logs and look for these messages:

Issues with AnyConnect WebLaunch After Java 7 Upgrade

Cisco JavaScript code previously looked for Sun as the value for the Java vendor. However, Oracle changed that value as described in JDK7: Java vendor property changes. This issue was fixed by Cisco bug ID CSCub46241, "AnyConnect weblaunch fails from Internet Explorer with Java 7."

Mac

Miscellaneous

Issues with Java 7 Apps on Cisco AnyConnect

Cisco bug ID CSCue48916, "Java App(s) Break when using AnyConnect 3.1.00495 or 3.1.02026 & Java v7," has been filed. Initial investigation indicates that the issues are not a bug on the client side, but might be related to the Java virtual machine (VM) configuration instead.

Previously, in order to use Java 7 apps on the AnyConnect 3.1(2026) client, you unchecked the IPv6 virtual adapter settings. However, it is now necessary to complete all of the steps in this procedure:

Windows

Hostscan is susceptible to crashes similar to those described previously for AnyConnect in Windows (Cisco bug ID CSCuc55720). The hostscan issue has been resolved by Cisco bug ID CSCuc48299, "IE with Java 7 crashes on HostScan Weblaunch."

Mac

Issues with CSD Versions 3.5.x and Java 7

In CSD 3.5.x, all WebVPN connections fail; this includes AnyConnect web launches. The Java console logs do not reveal any problems:

The resolution is to upgrade CSD or downgrade Java. Because Cisco recommends that you run the latest version of CSD, you should upgrade CSD, rather than downgrade Java, especially since a Java downgrade can be difficult on a Mac.

Issues with Chrome and Safari with WebLaunch on Mac 10.8

Issues with Chrome and Safari are expected behavior:

Chrome is a 32-bit browser and does not support Java 7.

Chrome has never been an officially supported browser for WebLaunch.

Mac 10.8 disabled the use of Java 7 on Safari, and older versions of Java are not enabled by default.

If you already have Java 7 installed, the resolutions are:

Use Firefox.

Enable Java 7 on Safari:

Verify that Java 7 is installed on the Mac and that the Mac has been restarted. Open Firefox, and go to the Java Verifier.

Open Safari, and go the Java Verifier again. You should now see this screen:

Tip: If you do not have Java installed or you have an older version of Java, you are likely to see the error message 'Java blocked for this web site' on java.com . See Java updates available for OS X on August 28, 2013 on the Apple support forum for information on installation of Java updates.

at java.lang.Thread.run(Thread.java:744)Mon Dec 16 16:00:17 EST 2013 Failed to download cstubnetwork: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45network: Created version ID: 1.7.0.45

This indicates that you are encountering Cisco bug ID CSCuj02425, "WebLaunch on OSX 10.9 fails if java unsafe mode is disabled." In order to workaround this issue, modify the Java preferences so Java can run in unsafe mode for Safari:

Click Preferences.

Click Manage Website Settings.

In the Security tab, select Java, and note that Allow is selected by default.

Change Allow to Run in Unsafe Mode.

WebVPN

For WebVPN issues related to Java, collect this data for troubleshooting purposes:

Output from the show tech-support command.

Java console logs with and without Adaptive Security Appliance (ASA) as explained in the General Troubleshooting section.

The applications are affected if it uses Java started through a web browser. Applications run from any where outside a web browser are fine. What this means for WevVPN is all the client plugins that are distributed by Cisco could be impacted. Since these plugins are not maintained or supported by Cisco, Cisco cannot make changes to the code signing certificate or to the applet in order to ensure it complies with these restrictions. The proper solution for this is to use the temporary code signing certificate on the ASA. ASAs provide a temporary code signing certificate to sign Java applets (for Java rewriter and plugins). The temporary certificate lets Java applets perform their intended functions without a warning message. ASA administrators should replace the temporary certificate before it expires with their own code signing certificate issued by a trusted certificate authority (CA). If this is not a viable option, the workaround is to complete these steps:

You can use the Exception Site list feature on the end client machine's Java settings in order to run the applications blocked by security settings. The steps to do this are described in Issues with Safari with WebLaunch on Mac 10.9.

You can also lower the Java Security settings. This setting is also set in the client machine's Java settings as shown here:

Warning: The use of the these workarounds still gives you some errors, but Java does not block the application as it would have done without the workarounds in place.

Windows

Applications that launch Java applets have been reported to fail over WebVPN after an upgrade to Java 7. This problem is caused by the lack of Secure Hash Algorithm (SHA)-256 support for the Java rewriter. Cisco bug ID CSCud54080, "SHA-256 support for webvpn Java rewriter," has been filed for this issue.

Applications that start Java applets through the portal with Smart Tunnel might fail when JRE7 is used; this is most common with 64-bit systems. In the captures, note that the Java VM sends the packets in clear text, not through the Smart Tunnel connection to the ASA. This has been addressed by Cisco bug ID CSCue17876, "Some java applets won't connect via smart tunnel on windows with jre1.7."